1. Technical Field
The present invention relates generally to persistent web sessions. In particular, the present invention is directed to a method and apparatus for preventing the crossover of persistent data from one web session to another.
2. Description of the Related Art
Since the introduction of the World Wide Web and the subsequent commercialization of the Internet, the world has become a considerably more connected place. No longer bound to the primitive communications interfaces of the past, the Internet is now host to a variety of powerful communications media, including interactive hypertext browsing (the World Wide Web), instant messaging, streaming video and audio, and multimedia electronic mail.
Hypertext is a method of organizing textual and graphical information on a computer screen. Information is organized into “pages,” which resemble printed pages in a book or (perhaps more accurately) printed scrolls (since a hypertext page can be of any length). The primary difference between hypertext and the printed word, however, lies in the fact that hypertext pages can contain links. That is, a portion of a hypertext document, such as a phrase or a graphic, may be made sensitive to clicking by the mouse such that when the user clicks on that portion, the user is directed to a new page or a different section of the current page. For instance, it is a common practice to make bibliographic citations into links. When a user clicks on one of these citations, the cited text appears on the screen. Hypertext documents are displayed using a program called a “browser.”
The largest and best-known repository of hypertext documents is the World Wide Web, a loosely bound collection of publicly accessible hypertext documents stored on computers the world over. The World Wide Web has become the preferred Internet medium for publishable information as well as for providing such interactive features as online shopping—to the extent that the terms Internet and World Wide Web are virtually synonymous to some.
Browsers can download hypertext documents from a server with the HyperText Transfer Protocol (HTTP). HTTP allows a browser to request documents or files from a server and receive a response. In addition, when browser users enter information into a form embedded into a hypertext page, the browser transmits the information to a server using HTTP. Form information can then be passed along to applications residing on the server. Those applications can then return a result, which may be written in HTML (HyperText Markup Language). The “traditional” method for passing form data to applications was (and to some extent still is) to employ the Common Gateway Interface (CGI), which provides a uniforms programming interface between a web server and web-based applications, usually referred to as “CGI scripts,” since most CGI applications are written in some form of scripting language, such as Perl.
One of the disadvantages of CGI, however, is that the CGI execution model assumes that, with each CGI request, the web server will spawn a new and separate process to execute the CGI script and service the request. On a busy server, this spawning of new processes can incur a significant amount of performance overhead. This performance problem was a primary motivation behind the creation of JAVA Servlet technology.
The JAVA Servlet API, one of the standard extension libraries to the Java programming language, addresses this performance problem by allowing multiple Web applications to be executed as threads in a single Java virtual machine that executes persistently between requests. Servlets thus avoid the high performance overhead associated with spawning a new process for each request. Another attractive feature of the Java Servlets API is that it is capable of maintaining data persistency over a Web session spanning multiple requests. As HTTP is a stateless protocol, maintaining this data persistency is a nontrivial task. The JAVA Servlets API shields the application programmer from much of this complexity.
Session tracking under the JAVA Servlets API centers around the use of Session objects. When a first request in a particular Web session is received, a Session object is created, which uniquely identifies the session. Data that must remain persistent across multiple requests in a session is associated with the Session object. When a subsequent request is received, those items of data that are associated with the Session object may be accessed, thus preserving the continuity of the session.
Sometimes, however, for one reason or another, data from one session is read by or written over by another session. In this document, this phenomenon is referred to as a “crossover error.” Sometimes these errors are the result of faulty library code or faulty application code. Whatever the cause, crossover errors can result in serious breaches of privacy/security of user data. These security breaches are difficult to detect and are typically identified only after significant testing of the Web application has taken place.
What is needed, therefore, is method of automatically detecting these data crossover errors in a reliable way. The present invention provides a solution to this and other problems, and offers other advantages over previous solutions.